Note: Cybersecurity strategy is an important topic, but it can also be highly sensitive. To allow this CISO to be completely open about their work, we’ve opted not to identify them in this post.
Leading a cybersecurity program across multiple subsidiaries, geographies, or regulatory jurisdictions is incredibly complex.
In the second installment of our 'What's On Your Security Roadmap for 2022' series, the Chief Information Security Officer (CISO) of a global provider of data, technology, and market infrastructure shares why automation, hiring, and cloud tooling are his top priorities to help his team stay ahead of cyber threats.
Automation
The CISO plans to increase his team's usage of automation this year to remove the routine manual processes that cause security bottlenecks, effectively monitor for exposures, and minimize their attack surface.
He explains: "The environment is constantly changing, and so, part of it is we're just getting away from this rudimentary sort of boring grind of day-to-day. The other part is about getting leverage from our investments in both people and technology. Being able to automate one tool is really good, but if we can start threading tools together and automating chains of tools and response actions, then all of a sudden, you get into a world where you no longer need these Tier 1 analysts checking out all the blinky boxes and alerts that are coming in. You can automate away a lot of that stuff so you can run a leaner team, focus on the work that matters and is more meaningful, and then the other piece is just for efficiency's sake.
"Attackers use a lot of automated tooling, so trying to respond to them in a very manual and bespoke human way is not at the scale we need to be effective. CrowdStrike's Dmitri Alperovitch came out with this idea of the 1/10/60 Minute Challenge a few years ago. If someone manages to get a foothold in your network, you have one minute to detect them, 10 minutes to respond, and 60 minutes to remediate. And to try to do that at a human scale just doesn't work. So, automation is key to ensuring your team is agile and can outmaneuver the adversary within your environment.
"We're going through an exercise now to throw all of our automation ideas on the table, and then we'll rack and stack them based on priority and where we think we can have the most impact for the broader team."
Hiring
Like many organizations, the company now has a more pronounced global perspective when hiring talent, but the CISO admits it continues to be challenging to recruit security professionals.
He says: "The competitive landscape to bring in talent is really, really tough. I think it's an acute issue now that will normalize over the next year or so, but hiring is definitely something that is top of mind for us.
"We're trying to hire the strongest athletes wherever they exist. To attract talent, we prioritize meaningful and cutting-edge work. We're a red team first security organization, which means I have a lot of really fired-up folks that try to burn the house down every day. And so, the blue team gets a lot of work too. They are constantly being targeted and attacked. We're always trying to play cat and mouse with the red teamers, who tend to have more of an advantage because they're familiar with the environment versus attackers from the outside. I think that's one of the things that's cool and unique in our environment. But, the reality is everybody is going towards a hybrid working model and hiring athletes wherever they exist, which adds to the hiring competitiveness.
"That's another reason we are investing in automation because to try to scale humans is challenging, but we can more easily scale technology."
Cloud tooling
This CISO is also looking to replace some legacy software and believes it's much easier to take a bespoke approach and keep pace with attackers using highly flexible tools with robust APIs.
He explains: "Part of that is just the natural maturation of the security industry; having better tooling that's agile and lighter weight, and different approaches.
"I think this is one of the reasons why being a CISO is so cool; there isn't a one size fits all approach or a recipe book that can tell you to do A, B, C, and all of a sudden, you'll have a secure organization. That's where it's more of an art than a science to say, 'Okay, given this unique environment, here is how we think we should best approach security tooling to buy down the risk for the organization.' And as you change that input, you have to change your tooling out of necessity. That is one-factor driving change.
"The other factor is the landscape of cyber threat actors, and the threats that are coming at you change fairly rapidly, so you have to keep pace with that. There are a lot of variables that force you to have to think through the latest and greatest technologies. As we move to new technologies, we're looking for things with a robust API backend that can easily interoperate with other technologies. Consolidating tools is great, but in this contested cyber environment, best-of-breed security tooling is really what I'm after. If it's a suite that has best-of-breed of everything, that's great, but I haven't found that to exist yet."
The CISO's top tips for choosing a security product
Prioritize functionality over marketing spend: "I look for interoperability and forward-thinking tools that are trying to solve problems that are on the horizon, and have shown their efficacy. I would much rather go after a product that is deep technically versus something that has some cool glossy graphics but not much in the way of technical backend."
Evaluate technical expertise: "I also look at who are the people that are writing the tools. We tend to build many things in-house at our organization, so we are essentially builders that buy. We have a really good idea of what it takes to make the magic happen for the capability we're after. And so, we become very, very informed consumers to understand what exactly is happening in the backend because we're trying to achieve a specific effect in the environment."
Interested in learning about what other CISOs are prioritizing in 2022? Check out this previous post with MongoDB's Lena Smart here.